Flylib.com

Books Software

 
 
 

Category list


Similar pages

Ethereal Packet Sniffing (Syngress) - page 21


Buy on amazon.com >>
Orebaugh A.D. Morris G. Warnicke E.
    << Previous page
    Table of contents
    Next page >>
     < Day Day Up > 

    Summary

    We have given you a pretty high-level overview of Ethereal, its various features, and supporting programs. We covered the history of Ethereal, its compatibility with other sniffers, and its supported protocols. We gave you a brief look into the Ethereal GUI and the filter capabilities, because these areas will be covered in detail in later chapters. We also covered the programs that come with Ethereal that add additional functionality by manipulating capture files.

    We explored several scenarios for using Ethereal in your network architecture. Spend some time getting to know your network and the way it is connected. Knowing how your network is segmented will greatly help with placing Ethereal to capture the information you need.

    Finally, we covered an example network troubleshooting methodology. It is good practice to use this methodology every time you troubleshoot a problem. Once again, spending time getting to know your network, and the protocols running on it will help make troubleshooting a lot easier.


     < Day Day Up > 
     < Day Day Up > 

    Solutions Fast Track

    What is Ethereal?

    • Ethereal is a free and feature rich network analyzer that rivals commercial counterparts.

    • Ethereal can decode more than 480 protocols (See Appendix).

    • Ethereal is compatible with more than 20 other sniffers and capture utilities.

    • Display and capture filters can be used to sort through network traffic.

    • Ethereal mailing lists are a great resource for information and support.

    Supporting Programs

    • Ethereal also installs with supporting programs: tethereal, editcap, mergecap , and text2pcap.

    • Tethereal is a command line version of Ethereal.

    • Editcap is used to remove packets from a file and translate the format of capture files.

    • Mergecap is used to merge multiple capture files into one.

    • Text2pcap is used to translate ASCII hexadecimal dump captures into libpcap output files.

    Using Ethereal in Your Network Architecture

    • Correct placement of Ethereal in your network architecture is critical to capture the data you need.

    • Taps, hubs, and switches with port spanning enabled, can all be used to connect Ethereal to your network.

    • You should create a troubleshooting toolkit consisting of a small hub, small network tap, and extra straight-through and crossover cables.

    • Installing Ethereal on a laptop makes troubleshooting at various locations easier.

    Using Ethereal for Network Troubleshooting

    • Following a methodical troubleshooting process can minimize the time it takes to solve the problem.

    • Identifying and testing the cause of a problem often involves research on the Internet or support calls to hardware or software vendors .

    • Sometimes, solving one problem could create another.

    • Keeping detailed notes on how you solved the problem will assist in future troubleshooting efforts.


     < Day Day Up > 
     < Day Day Up > 

    Frequently Asked Questions

    The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

    1. 

    How do I know if someone is already working on a protocol dissector for a protocol that isn’t supported yet by Ethereal?

    send an e-mail to the ethereal developers mailing list. mostly likely if someone is writing a dissector they are also part of this list.

    2. 

    Will port spanning increase the load on my switch?

    yes, but how much depends on several factors, such as how many ports you are mirroring, and how much traffic is going through those ports. newer switches can handle port spanning efficiently and the increased load will not be noticeable.

    3. 

    I started using Ethereal on my network just to have a look and I couldn’t believe how much traffic was out there! It was scrolling so fast I couldn’t even make sense of it, what should I do?

    this is common, especially on larger networks, or networks with large collisions domains. the best thing to do is to start capturing chunks of data and saving them to a file. then you can use various display filters to sort out the data and make sense of what is going on.

    4. 

    Do I need to use Editcap to translate capture files that are from different products to a common format before merging them with Mergecap?

    no, mergecap can automatically translate the files as it merges them. it will do this for all of the compatible products that ethereal supports. it can even automatically uncompress gzip files if you compiled ethereal with gzip support.

    5. 

    When I am on call for network problems I follow a basic troubleshooting methodology and keep detailed notes, however my coworkers fail to do the same when they are on call. What should I do?

    get management s support on the necessity and benefits of documenting the troubleshooting process. you can even suggest that you start a day after e-mail report that will thoroughly document the problem and the resolution. this e-mail report can be used to update the upper level management and general users in the organization. your coworkers would have more reason to comply with this policy when their names will be attached to something so public!

    6. 

    I am using a hub to analyze network traffic, however I am still not seeing all of the traffic.

    some hubs have an auto-sensing or dual speed feature that will sense your network interface card speed and set the hub port to the appropriate speed, 10mbps, or 100mbps. some of these types of hubs will only broadcast 10mbps traffic to other 10mbps ports, and 100mbps traffic to other 100mbps ports. so if you have mixed speed traffic on your hub you may be missing some if it. linksys and netgear have been known to have this issue, check with your hub vendor to see if this is documented for your product.

    7. 

    Can I perform port spanning on switches other than Cisco?

    yes, port spanning is a cisco term, but other products perform the same thing and call it port mirroring. these products include hp and nortel switches, and some newer products are even coming with dedicated management ports built in.

    Answers

    1.  

    Send an e-mail to the Ethereal developers mailing list. Mostly likely if someone is writing a dissector they are also part of this list.

    2.  

    Yes, but how much depends on several factors, such as how many ports you are mirroring, and how much traffic is going through those ports. Newer switches can handle port spanning efficiently and the increased load will not be noticeable.

    3.  

    This is common, especially on larger networks, or networks with large collisions domains. The best thing to do is to start capturing chunks of data and saving them to a file. Then you can use various display filters to sort out the data and make sense of what is going on.

    4.  

    No, Mergecap can automatically translate the files as it merges them. It will do this for all of the compatible products that Ethereal supports. It can even automatically uncompress gzip files if you compiled Ethereal with gzip support.

    5.  

    Get management’s support on the necessity and benefits of documenting the troubleshooting process. You can even suggest that you start a “day after” e-mail report that will thoroughly document the problem and the resolution. This e-mail report can be used to update the upper level management and general users in the organization. Your coworkers would have more reason to comply with this policy when their names will be attached to something so public!

    6.  

    Some hubs have an “auto-sensing” or “dual speed” feature that will sense your network interface card speed and set the hub port to the appropriate speed, 10Mbps, or 100Mbps. Some of these types of hubs will only broadcast 10Mbps traffic to other 10Mbps ports, and 100Mbps traffic to other 100Mbps ports. So if you have mixed speed traffic on your hub you may be missing some if it. Linksys and Netgear have been known to have this issue, check with your hub vendor to see if this is documented for your product.

    7.  

    Yes, port spanning is a Cisco term , but other products perform the same thing and call it port mirroring. These products include HP and Nortel switches, and some newer products are even coming with dedicated management ports built in.


     < Day Day Up > 

    Buy on amazon.com >>
    Orebaugh A.D. Morris G. Warnicke E.
      << Previous page
      Table of contents
      Next page >>

      Similar products

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy